libImaging/SgiRleDecode.c in Pillow before 6.2.2 has an SGI buffer overflow.
Created python-pillow tracking bugs for this issue:
Affects: fedora-all [bug 1789541]
Created python3-pillow tracking bugs for this issue:
Affects: epel-7 [bug 1789542]
While Red Hat Quay includes the python-pillow it's not used, therefore this issue is rated moderate for Red Hat Quay.
This issue did not affect the versions of python-pillow and python-imaging as shipped with Red Hat Enterprise Linux 6, and 7 as they did not include the SGI RLE image decoder, where the flaw lies.
Function expandrow() is called by ImagingSgiRleDecode() in SgiRleDecode.c to load and decode an input image. While reading compressed rows of the input image, expandrow() does not consider the image size, thus it is possible to overwrite past the end of the output buffer. This flaw could be used by an attacker to overwrite heap metadata and potentially execute code.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions
Via RHSA-2020:0566 https://access.redhat.com/errata/RHSA-2020:0566
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):